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Abstract 



Let p be a prime. Given a polynomial in F^™ [x\ of degree d over the finite field F^™ , one 
can view it as a map from Fpm to F^m, and examine the image of this map, also known as 
the value set. In this paper, we present the first non-trivial algorithm and the first complexity 
result on computing the cardinality of this value set. We show an elementary connection 
between this cardinality and the number of points on a family of varieties in affine space. We 
then apply Lauder and Wan's p-adic point-counting algorithm to count these points, resulting 
in a non-trivial algorithm for calculating the cardinality of the value set. The running time of 
our algorithm is {pmd)^^'^\ In particular, this is a polynomial time algorithm for fixed d ii p 
is reasonably small. We also show that the problem is #P-hard when the polynomial is given 
in a sparse representation, p = 2, and m is allowed to vary, or when the polynomial is given 
as a straight-line program, m = 1 and p is allowed to vary. Additionally, we prove that it is 
NP-hard to decide whether a polynomial represented by a straight-line program has a root in 
a prime-order finite field, thus resolving an open problem proposed by Kaltofen and Koiran in 

HIS]. 
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1 Introduction 



In a finite field with q = (p prime) elements, Fg, take a polynomial, f G ¥q [x] with degree 
d > 0. Denote the image set of this polynomial as 

Vf = {f{a)\ae FJ 

and denote the cardinality of this set as # (Vf)- 

There are a few trivial bounds that can be immediately established. There are only q elements 
in the field, so # (Vf) < q. Additionally, any polynomial of degree d can have at most d roots, 
thus for all a £ Vf, f{x) = a is satisfied at most d times. This is true for every element in Vf, so 
# (Vf) d> q, whence 

[^1 <#{Vf)<q 

(where [•] is the ceiling function). 

Both of these bounds can be achieved: if # (Vf) = q, then / is called a permutation polynomial 
and if # (Vf) = j"^] , then / is said to have a "minimal value set". 

The problem of establishing ^ (Vf) has been studied in various forms for at least the last 115 
years, but exact formulations for # (Vf) are known only for polynomials in very specific forms. 
Results that apply to general polynomials are asymptotic in nature, or provide estimates whose 
errors have reasonable bounds only on average [W\ - 

The fundamental problem of counting the value set cardinality # (Vf) can be thought of as 
a much more general version of the problem of determining if a particular polynomial is a per- 
mutation polynomial. Shparlinski [T3] provided a baby-step giant-step type test that determines 
if a given polynomial is a permutation polynomial by extending [15] to an algorithm that runs 
in 0{{dq)^/'^). This is still fully exponential in \ogq. Ma and von zur Gathen [9| provide a ZPP 
(zero-error probabilistic polynomial time) algorithm for testing if a given polynomial is a permu- 
tation polynomial. According to [6] , the first deterministic polynomial time algorithm for testing 
permutation polynomials is obtained by Lenstra using the classification of exceptional polynomials 
which in turn depends on the classification of finite simple groups. Subsequently, an elementary 
approach based on the Gao-Kaltofen-Lauder factorization algorithm is given by Kayal [6]. 

For the more general problem of exactly computing #(V/), essentially nothing is known 
about this problem's complexity and no non-trivial algorithms are known. For instance, no baby- 
step giant-step type algorithm is known in computing ^ [Vf). No probabilistic polynomial time 
algorithm is known. Finding a non-trivial algorithm and proving a non-trivial complexity result 
for the value counting were raised as open problems in f9], where a probabilistic approximation 
algorithm is given. In this paper, we provide the first non-trivial algorithm and the first non-trivial 
complexity result for the exact counting of the value set problem. 



1.1 Our results 

Perhaps the most obvious method to calculate ^ (Vf) is to evaluate the polynomial at each point 
in ¥q and count how many distinct images result. This algorithm has a time and space complexity 
(dg)^(i). One can also approach this problem by operating on points in the co-domain. One has 
f{x) = a for some x G if and only if fa{X) = f{X) — a has a zero in F^; this algorithm again 
has a time complexity {dq)^^^\ but the space complexity is improved considerably to (dlog q)^^^\ 
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In this paper we present several results on determining the cardinality of value sets. On the 
algorithmic side, we show an elementary connection between this cardinality and the number of 
points on a family of varieties in affine space. We then apply the Lauder- Wan p-adic point-counting 
algorithm [8j, resulting in a non-trivial algorithm for calculating the image set cardinality in the 
case that p is sufficiently small (i.e., p = 0{{dlogq)'~') for some positive constant C). Precisely, 
we have 

Theorem [6l There exists an explicit deterministic algorithm and an explicit polynomial R such 
that for any f G ^q[x] of degree d, where q = (p prime), the algorithm computes the cardinality 
of the image set, # {Vf), in cl number of bit operations bounded by R {m'^d'^p'^^ . 

The running time of this algorithm is polynomial in both p and m, but is exponential in d. In 
particular, this is a polynomial time algorithm for fixed d if the characteristic p is small {q = 
can be large). 

On the complexity side, we have several hardness results on the value set problem. With a 
field of characteristic p = 2, we have 

Theorem [3l The problem of counting the value set of a sparse polynomial over a finite field of 
characteristic p = 2 is #P-hard. 

The idea of our proof of this theorem is to reduce the problem of counting satisfying assign- 
ments for a 3SAT formula to the problem of value set counting. 
Over a prime-order finite field, we have 

Theorem [5], Over a prime- order finite field Fp, the problem of counting the value set is #P-hard 
under RP-reduction, if the polynomial is given as a straight-line program. 

Additionally, we prove that it is NP-hard to decide whether a polynomial in Z[x] represented 
by a straight-line program has a root in a prime-order finite field, thus resolving an open problem 
proposed in [4j, t5j . We accomplish the complexity results over prime-order finite fields by reducing 
the prime-order finite field subset sum problem (PFFSSP) to these problems. 

In the PFFSSP, given a prime p, an integer b and a set of integers S = {ai,a2, • • • ,at}, we 
want to decide the solvability of the equation 

aixi + 02X2 H h atxt = b (mod p) 

with Xi £ {0,1} for 1 < i < t. The main idea comes from the observation that if t < logp/3, 
there is a sparse polynomial a{x) £ ¥p[x] such that as x runs over Fp, the vector 

(q(x), q(x + 1), • • • , a{x + t — 1)) 

runs over all the elements in {0, 1}*. In fact, a lightly modified version of the quadratic character 
a{x) = (x(P-i)/2 + xP-i)/2 suffices. So the PFFSSP can be reduced to deciding whether the shift 
sparse polynomial Yll=o CLi+ia{x + i) — b = has a solution in Fp. 
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2 Background 



2.1 The subset sum problem 

To prove the complexity results, we use the subset sum problem (SSP) extensively. The SSP is 
a well-known problem in computer science. In one instance of the SSP, given an integer b and a 
set of positive integers S = {ai, 02, • • • , at}, 

1. (Decision version) the goal is to decide whether there exists a subset T C S such that the 
sum of all the integers in T equals b, 

2. (Search version) the goal is to find a subset T <Z S such that the sum of all the integers in 
T equals b, 

3. (Counting version) the goal is to count the number of subsets T C S such that the sum of 
all the integers in T equals b. 

The decision version of the SSP is a classical NP-complete problem. The counting version of 
the SSP is #P-complete, which can be easily derived from proofs of the NP-completeness of the 
decision version, e.g. [2, Theorem 34.15]. 

One can view the SSP as a problem of solving the linear equation 

aixi + a2X2 H h atxt = b 

with Xi G {0, 1} for 1 < i < t. The prime-order finite field subset sum problem is a similar problem 
where in addition to b and S, one is given a prime p, and the goal is to decide the solvability of 
the equation 

aixi + 02X2 H h atXt = b (mod p) 

with Xi G {0, 1} for 1 < i < t. 

Proposition 1. The prime-order finite field subset sum problem is NP-hard under RP-reduction. 

Proof. To reduce the subset sum problem to the prime-order finite field subset sum problem, one 
finds a prime p > Qi, which can be done in randomized polynomial time. □ 

Remark 1. To make the reduction deterministic, one needs to de-randomize the problem of 
finding a large prime, which appears to be hard Jj^[ /. 

2.2 Polynomial representations 

There are different ways to represent a polynomial over a field F. The dense representation lists 
all the coefficients of a polynomial, including the zero coefficients. The sparse representation lists 
only the nonzero coefficients, along with the degrees of the corresponding terms. If most of the 
coefficients of a polynomial are zero, then the sparse representation is much shorter than the 
dense representation. A sparse shift representation of a polynomial in ¥[x] is a list of n triples 
(cj, 6i, Cj) G F X F X Z>Q which represents the polynomial 

aiix + bif. 

l<i<n 
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More generally, a straight-line program for a univariate polynomial in or ¥p[x] is a se- 
quence of assignments, starting from xi = 1 and X2 = x. After that, the i-th. assignment has the 
form 

Xi — Xj Xj^ 

where < j,k < i and is one of the three operations +, — , x. We first let a be an element in 
¥prn such that F^m = Fp[a]. A straight-line program for a univariate polynomial in Fpm[a;] can 
be defined similarly, except that the sequence starts from xi = a and X2 = x. One can verify 
that a straight-line program computes a univariate polynomial, and that sparse polynomials and 
sparse shift polynomials have short straight-line programs. A polynomial produced by a short 
straight-line program may have very high degree, and most of its coefficients may be nonzero, so 
it may be costly to write it in either a dense form or a sparse form. 

3 Hardness of solving straight-line polynomials 

It is known that deciding whether there is a root in a finite field extension for a sparse polynomial 
is NP-hard [7|. In a related work, it was shown that deciding whether there is a p-adic rational 
root for a sparse polynomial is NP-hard [T]. However, the complexity of deciding the solvability 
of a straight-line polynomial in within a prime-order finite field was not known. This open 
problem was proposed in [4J and [5]. We resolve this problem within this section, and this same 
idea will be used later on to prove the hardness result of the value set counting problem. 

Let p be an odd prime. Let x be the quadratic character modulo p, namely x(^) equals 
1,-1, or 0, depending on whether x is a quadratic residue, a quadratic non-residue, or is congruent 
to modulo p. For x G Fp, xi^) = x^^"^^/^. Consider the list 

X(1),X(2),--- ,X(P-1)- (1) 

It is a sequence in {1, —1}^^^. The following bound is a standard consequence of the celebrated 
Weil bound for character sums, see [12j for a detailed proof. 

Proposition 2. Let {bi,b2,--- ,bt) be a sequence in {1,-1}*. Then the number of x G ¥p such 
that 

X{x) = bi,x{x + 1) = b2,--- ,x{x + t-l) = bt 
is in the range (p/2* - t{3 + ^),p/2* + t(3 + ^)). 

The proposition implies that if t < logp/3, then every possible sequence in { — 1, 1}* occurs as a 
consecutive sub-sequence in expression ([T]) . In many situations it is more convenient to use binary 
0/1 sequences, which suggests instead using the polynomial (x^^"^)/^ + l)/2, but this results in a 
small problem at x = 0. We instead use the sparse polynomial 

a(x) = (x(P-i)/2^xP-i)/2. 

a(x) takes value in {0, 1} if x € Fp and a(x) = 1 iff xi^) = 1- 

Corollary 1. If t < logp/3, then for any binary sequence (61,62)" 
X G Fp such that 

a(x) = 61, a(x + 1) = 62, • • • , a{x + t — 1) 



■ ■ ,bt) £ {0, 1}*, there exists a 
= bt. 
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In other words, if t < logp/3, the map 



X I—)- {a{x),a{x + !),••• 



a{x + t- 1)) 



is an onto map from ¥p to {0,1}*; this map thus sends an algebraic object to a combinatorial 
object. 

Given a straight-line polynomial /(x) G and a prime p, how hard is it to decide whether 
the polynomial has a solution in Fp? We now prove that this problem is NP-hard. 

Theorem 1. Given a sparse shift polynomial f{x) G and a large prime p, it is NP-hard to 

decide whether f{x) has a root in Fp. 

Proof. We reduce the (decision version of the) subset sum problem to this problem. Given b S Z>o 
and S = {ai,a2, ■ ■ ■ , at} ^ Z>Oi one finds a prime p > max(2^*, Yll=i ^i) constructs a sparse 
shift polynomial 



If the polynomial has a solution modulo p, then the answer to the subset sum problem is "yes" , 
since for any x £ Fp, a{x + i) £ {0, 1}. 

In the other direction, if the answer to the subset sum problem is "yes", then according to 
Corollary [H the polynomial has a solution in Fp. Note that the reduction can be computed in 



4 Complexity of the value set counting problem 

In this section, we prove several results about the complexity of the value set counting problem. 
4.1 Finite field extensions 

We will use a problem about NC5 circuits to prove that counting the value set of a sparse poly- 
nomial in a binary field is #P-hard. A Boolean circuit is in NC5 if every output bit of the circuit 
depends only on at most 5 input bits. We can view a circuit with n input bits and m output bits 
as a map from {0, 1}" to {0, 1}"* and call the image of the map the value set of the circuit. The 
following proposition is implied in We will sketch the proof for completeness. 

Proposition 3. Given a 3SAT formula with n variables and m clauses, one can construct in 
polynomial time an NCf^ circuit with n + m input bits and n + m outputs bits, such that if there 
are M satisfying assignments for the 3SAT formula, then the cardinality of the value set of the 
7VC5 circuit is 2""'"™' — 2"^~^M. In particular, if the 3 SAT formula can not be satisfied, then the 
circuit computes a permutation from {0, 1}'^+™ to {0, 1}"+'". 

Proof. Denote the variables of the 3SAT formula by j;i,X2, • • • ,Xn, and the clauses of the 3SAT 
formula by Ci, C2, • • • , Cm- Build a circuit with n + m input bits and n + m output bits as follows. 
The input bits will be denoted by xi, 3:2, • • • , x„, yi, 2/2, • ' ' jUm and output bits will be denoted 
by ^^1, ^2) • ■ ■ ) Zn, wi,W2, • • • , Wm- Set Zj = Xj for 1 < i < n. And set 




(2) 



i=0 



randomized polynomial time. 



□ 



Wi = {Ci A {yi © (inod m)))) V (^Q A yi) 
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for 1 < I < m. In other words, if Cj is evaluated to be TRUE, then output yi ® (mod m)) as 
Wi, and otherwise output yi as wi. Note that Cj depends only on 3 variables from {xi, X2, • • • , 
thus we obtain an NC5 circuit. After fixing an assignment to Xj's, Zj's are also fixed, and the 
transformation from {yi,y2,-" -.Vm) to {wi^W2-,- ■ ■ ,Wm) is linear over F2. One can verify that 
the linear transformation has rank m — 1 if the assignment satisfies all the clauses, and it has rank 
m (namely it is full rank) if some of the clauses are not satisfied. So the cardinality of the value 
set of the circuit is 

^2"^-! + (2" - M)2" = 2"+™ - I'^-^M. 

□ 

If we replace the Boolean gates in the NC5 circuit by algebraic gates over F2, we obtain an 
algebraic circuit that computes a polynomial map from Fg"*"™ to itself, where each polynomial 
depends only on 5 variables and has degree equal to or less than 5. There is an F2-basis for F2n+m, 
say cji,u;2, • • • , w^+m which induces a bijection from Fg"*"*" to F2n+m given by 

n+m 
1=1 

which has an inverse that can be represented by sparse polynomials in F2n+m[x]. Using this fact, 
we can replace the input bits of the algebraic circuit by sparse polynomials, and collect the output 
bits together using the base to form a single element in F2n+m . We thus obtain a sparse univariate 
polynomial in F2n+m [x] from the NC5 circuit such that their value sets have the same cardinality. 
We thus have the following theorem: 

Theorem 2. Given a 3S AT formula with n variables and m clauses, one can construct in poly- 
nomial time a sparse polynomial 7(x) in F2n+m such that the value set of 7(x) has cardinality 
2n+m _ 2^~^M, where M is the number of satisfying assignments of the 3SAT formula. 

Since counting the number of satisfying assignments for a 3SAT formula is #P-complete, we 
have our main theorem: 

Theorem 3. The problem of counting the value set of a sparse polynomial over a finite field of 
characteristic p = 2 is #P-hard. 

4.2 Prime-order finite fields 

The construction in Theorem [2] relies on building field extensions. The technique cannot be 
adopted easily to the prime-order finite field case. We will prove that counting the value set of a 
straight-line polynomial over prime-order finite field is ^^P-hard. We reduce the counting version 
of subset sum problem to the value set counting problem. 

Theorem 4. Given access to an oracle that solves the value set counting problem for straight- 
line polynomials over prime-order finite fields, there is a randomized polynomial-time algorithm 
solving the counting version of the SSP. 
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Proof. Given an instance of the counting subset sum problem, b and 5 = {ai,02,-- - ,an}, if 
b > ^[Li*^*) answer 0; if 6 = 0, then we answer 1. Otherwise we find a prime p > 
max(2'^*, 2 X^iLi '^i) oracle to count the value set of the shift sparse polynomial 



t-i 



fix) := {l-(3{xy-'){Y^a{x + ^)2' 



1=0 

over the prime-order field Fp. We output the answer ^ (Vf) — 1, which is easily seen to be exactly 
the number of subsets of {ai, • • • , a^} which sum to b. □ 

Since the counting version of the SSP is #P-complete, this theorem yields 

Theorem 5. Over a prime-order finite field Fp, the problem of counting the value set is #P-hard 
under RP-reduction, if the polynomial is given as a straight-line program. 

5 The Image Set and Point Counting 

Proposition 4. If f £¥q [x] is a polynomial of degree d > 0, then the cardinality of its image set 
is 



i=i ^ ^ 



(3) 



where = f^ ({(^^i; • • • € F^ | f{xi) = • • • = /(x^)}) and denotes the ith elementary sym- 
metric function on d elements. 

Proof. For any y G Vj, define 

Nk,y = {(xi,...,Xfc) G F^ I f{xi) = ... = f{xk) = y} 
and denote the corresponding cardinality of these sets as 

and finally, note that 

Let us refer to the right hand side of ^ as rj] plugging @ into this expression and rearranging, 
we get 

y&Vf i=l 

Let us call the inner sum uoy, that is: 



X;(-l)'"iv.„<'.(i,i...,i). 

i=l ^ ■' 
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If we can show that for ah y £ Vf we have ujy = 1, then we clearly have rj = ^ (Vf). 
Let y £ Vf he fixed. Let k = ^ {f~^{y))- It is clear that 1 < k < d and Ni^y 
< i < d. Substituting this in, our expression mercifully becomes somewhat nicer: 



k^ for 



a;,. 



j=0 



1 - 
1. 



(1 _ ( 1 _ A;- 



Prom step ([5]) to step ([6]), we are using the identity 



^-d 



(5) 
(6) 



n (A - X,) = ^ (-1)^- A"-V, (Xi, . . . . 

j=l 3=0 

Note that the bracketed term of ([6]) is 0, as k must be an integer such that 1 < A; < d, so one 
term in the product will be 0. 

Thus, we have rj = # ^ desired. □ 

Proposition |4] gives us a way to express 7^ (Vf) in terms of the numbers of rational points on 
a sequence of curves over ¥q. If we had a way of getting Nk for 1 < k < d, then it would be easy 
to calculate # {Vf)- 

The spaces A^^ aren't of any nice form (in particular, we cannot assume they are non-singular 
projective, abelian varieties, etc.), so we proceed by using the p-adic point counting method de- 
scribed in [S], which works for any variety over a field of small characteristic (i.e., p = 0{{dlog q)^) 
for some positive constant C). 

Theorem 6. There exists an explicit deterministic algorithm and an explicit polynomial R such 
that for any f G ¥q[x] of degree d, where q = p^ (p prime), the algorithm computes the cardinality 
of the image set, # {Vf), in cl number of bit operations bounded by R {m'^d'^p'^) . 

Proof. Recah that = # (Nk) with 



Nk = {(xi,.. 


eF^ 1 


f{xi) = 


■■■ = f{xk)} 


= < 


(xi,. 


GF^ 


fixi) 
f{xi) 


-f{x2) =0 
-f{x3) =0 








fixi) 


-f{xk) =0 
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For reasons soon to become clear, we need to represent this as the solution set of a single 
polynomial. Let us introduce additional variables zi to -Zfc-i, and denote x = (xi, . . . ,Xk) and 
z = (zi, . . . , -Zfc-i)- Now examine the auxiliary function 

Fk {X, Z) = Zl (/(Xi) - /(X2)) + • • • + Zk-l (/(Xl) - /(Xfc)) . (7) 

Clearly, if 7 E N^, then Ff^ (7, z) is the zero function. If 7 G \ N^, then the solutions of 
Fk = specify a {k — 2)-dimensional Fg-linear subspace of F^~^. Thus, if we denote the 

cardinality of the solution set to Fk{x, z) = as # (Fk), then we see that 

#{Fk)=q''-'Nk + q''-^ [q" - Nk) 
= Nkq^-'' (g-l) + g2fc-2_ 

Solving for Nk, we find that 



J.J _ it y^ kj - q ,o\ 



(9-1) 

Thus we have an easy way to determine what Nk is depending on the number of points on this 
hypersurface defined by the single polynomial equation Fk = 0. 

The main theorem in [8] yields an algorithm for toric point counting in F^f for small charac- 
teristic (i.e., p = 0(((i log g)*^) for some positive constant C) that works for general varieties. In 
[8l §6.4], this theorem is adapted to be a generic point counting algorithm. 

Adapting this result to our problem, we see that Fk has a total degree of d + 1, is in 2A; — 1 
variables, and that we only care about the case where 1 = 1. Thus, the runtime for this algorithm 

operations. In order to calculate # (Vj) using equation 
([3]), we calculate A^^ for 1 < k < d, scaled by an elementary symmetric polynomial. All of 
the necessary elementary symmetric polynomials can be evaluated using Newton's identity (see 
in less than 0{(P \ogd) multiplications. As such, the entire calculation has a runtime of 
Q(-28d+i^6d+4^i2d-i^4d+2^ bit operations. For consistency with [8], we can then note that as 
d > 1, we can write 2^'^"'"-'^ = d^^'^^<' 2)(8ci+i)^ Thus, there is a polynomial, R, in one variable such that 
the runtime of this algorithm is bounded by R{m'^d'^p'^) bit operations. In the dense polynomial 
model, the polynomial / has input size 0{dlogq), so this algorithm does not have polynomial 
runtime with respect to the input length. This algorithm has runtime that is exponential in the 
degree of the polynomial, d, and polynomial in m and p. □ 



6 Open Problems 

Though value sets of polynomials appear to be closely related to zero sets, they are not as well- 
studied. There are many interesting open problems about value sets. The most important one is 
to find a counting algorithm with running time (dlogg)'^(^), that is, a deterministic polynomial 
time algorithm in the dense model. It is not clear if this is always possible. Our result affirmatively 
solves this problem for fixed d if characteristic p is reasonably small. We conjecture that the same 
result is true for fixed d and all characteristic p. 

For the complexity side, can one prove that the counting problem for sparse polynomials in 
prime-order finite fields is hard? Can one prove that the counting problem for dense input model 
is hard for general degree d? 
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